in the SDF locations window, a summary will appear featuring the changes that will be deployed to the router, as shown in Figure , The wizard includes information about the interfaces and direction in which the IPS rules will be applied, the SDF location, and whether built-in signatures are enabled for backup use. Once you have reviewed the summary, deploy the configuration by clicking the Finish button. Verifying IPS Deployment
After the IPS commands that the wizard generates are sent to the router, you are brought to the Edit IPS tab. Figure shows the steps that you use to access the Cisco SDM signatures form where you can verify your IPS deployment. In the menu under the Edit IPS tab, you can verify and modify the configured settings and view and tune the available signatures. There are four sections in the Edit IPS menu:

IPS policies
Global settings
Security Device Event Exchange (SDEE) messages
Signatures

Content 6.5 Configuring Cisco IOS IPS 6.5.7 Configuring IPS Policies and Global Settings Figure shows the Cisco SDM Edit IPS Policies tab with the IPS Policies feature selected. Click IPS Policies in the menu part of the Edit IPS tab to verify the assignment of IPS rules to the router interfaces. In the example, the only enabled IPS rule is attached to the Serial0/0/0 interface in the inbound direction. This configuration matches the settings you previously submitted in the IPS Policies wizard. This rule corresponds to the Identifying Interfaces and Flow Direction step of the IPS Policies wizard, in which the IPS rule was applied inbound to the outside interface (Serial0/0/0). Global Settings
Figure shows the Cisco SDM Edit IPS Policies tab with the Global Settings feature selected. This tab is where you view and modify IPS global settings using the SDM. The global settings are the general IPS settings that are configured on the router. These settings include reporting settings using two protocols: syslog and SDEE. Note
SDEE is an application-level communications protocol that is used to exchange IPS messages between IPS clients and IPS servers. You do not need to configure the address of the SDEE server. SDM uses SDEE to reference and extract the event logs from the router. In this tab, you also see the status of the fail-closed setting. SDM default is fail-closed disabled. If enabled, the router drops all packets if the IPS engine is unable to scan data. Finally, you can verify if the built-in signatures have been enabled for backup purposes if the configured SDF is unavailable or cannot be loaded. If you want to modify any of these global settings, click the Edit button in the upper-right corner of the window to perform the desired changes. A configuration window opens in which you can modify any parameters that you see in Figure .

Content 6.5 Configuring Cisco IOS IPS 6.5.8 Viewing SDEE Messages Figure shows the Cisco SDM Edit IPS Policies tab with the SDEE Messages feature selected and the list of SDEE message types displayed. The SDM offers you the option to view the SDEE messages if you click SDEE Messages in the middle part of the Edit IPS tab. By default, all message types appear in the window. You can limit the number of messages that appear by selecting the category from the SDEE Messages drop-down list in the upper right corner. Note
This SDEE Messages view does not work in real time. If you want to display the current messages, you need to click the Refresh button in the upper right corner of the window. Viewing SDEE Status Messages
You can use the SDM to view the SDEE status messages. Figure shows the Cisco SDM Edit IPS Policies tab with the SDEE Messages feature selected and the SDEE Status message type selected. Choose Status from the SDEE Messages drop-down list to display the status events only. This view includes reports about the status of all IPS engines. You can see the compilation results for engines that contain some signatures associated with it, along with their status. You can also see which engines have not been built because there were no signatures associated with the engines. You can identify such engines by looking for the ENGINE_BUILD_SKIPPED: [engine name] – there are no new signature definitions message. In this example, the MULTI-STRING engine has not been built. Viewing SDEE Alerts
You can use the SDM to view the SDEE alerts. Figure shows the Cisco SDM Edit IPS Policies tab with the SDEE Messages feature selected and the SDEE Alerts message type selected. Choose Alerts from the SDEE Messages drop-down list to view the alerts only. The alerts are fired by the enabled signatures that you included in the loaded SDF. The messages display all the details of a firing signature, such as the target and attacker IP address, alarm severity, signature ID and sub-ID, signature name, and more. Note
Although you can view all the details about a specific alert, this view is not intended to provide real-time monitoring capabilities. The view does not have the filtering, search, or correlation functions that are necessary for a monitoring solution. In the example, you can see that a hacker has been attempting to attack the Internet Information Server (IIS) Unicode, IIS DOT DOT Execute, and the WWW Directory Traversal against a protected system. The signatures 3215, 3216, and 5114 fired alarms with medium severity levels. If you scroll down the tab, you can view the attacker and target IP address and other information.

Content 6.5 Configuring Cisco IOS IPS 6.5.9 Tuning Signatures You may want to make changes to your defined signature. You can both edit a signature and disable a signature group. Figure shows the Cisco SDM Edit IPS Policies tab with the Signatures feature selected and the Edit signatures button identified. To view the parameters of a specific signature or tune the signature settings, click Signatures in the middle part of the Edit IPS tab, select the appropriate signature category from the list in the middle of the window, and locate the desired signature in the right part of the window. You can also use the search options Select by and Criteria that are available at the top of the window to find the signature easily. In the example, you want to view and modify the settings of the signature named Invalid DHCP Packet with number 4619 that is listed under the Attack category. Select the signature and click the Edit button to launch the Edit Signature window. Editing a Signature
Figure shows the Edit Signatures window that identifies how to edit various signature parameters. When the Edit Signature window opens, you can view the current signature settings. Select an option that you want to modify by clicking the green square next to the option. The green square turns red and you can select the desired settings from the drop-down list associated with the respective parameter. In the example, the alarm severity is increased from the default value of medium to high. Click OK to apply the change to the router. Disabling a Signature Group
Figure shows the Cisco SDM Edit IPS Policies tab with the Signatures feature selected and the steps you use to disable a group of signatures. SDM allows you to disable individual signatures or entire signature groups. In the example, the Cisco IOS router protects a network that contains only Windows hosts. To tune the active signatures to better match this environment, disable all UNIX-related signatures: Step 1 Select the UNIX sub-tree under the OS signature category. Step 2 Click the Select All button to select all signatures in the selected category. Step 3 Click the Disable button to disable all selected signatures on the IOS router. Step 4 Click the Apply Changes button to deliver the configuration to the device. Verifying the Tuned